The PAM setup for DeCaf

Two independent elements form the DeCaf PAM setup. A custom module to authenticate the user based on timecodes, and some settings to ensure that he can not do destructive changes to the home directory.

pam_decaf

The libpam-decaf package provides the pam module. The recommended modification to /etc/pam.d/gdm is to add this line at the top:

auth    [ignore=reset system_err=reset default=done]        pam_decaf.so

This allows the system to ignore the pam module when the user enters a special bypass code or something is wrong with the database connection.

The configuration is stored in /etc/decaf.conf. On a productive system, this file must not be readable by the decaf user (i.e. owner root and mode 600). An example is:

database=decaf
host=localhost
user=decaf
password=secret
decaf_user=decaf

Home directory handling

With libpam-mount and the unionfs kernel module, Debian can set up so that when the user logs in, a temporary filessytem (tempfs, which stores the files in memory) is mounted somewhere, and then used as an overlay over the real home directory using unionfs. This way, all changes (new files, files deleted, changes including configuration changes) are only stored on the tempfs and removed when the user logs out. Because a process like gconfd might be living for a short while after the session ended, we unmount lazly. /var/run/decaf/union-rw has to be created and the relevant lines in /etc/security/pam_mount.conf are:

# Changed line:
umount /bin/umount -l %(MNTPT)
# Added line:
volume decaf tmpfs - tmpfs /var/run/decaf/union-rw mode=700,uid=decaf - -
volume decaf unionfs - unionfs /home/decaf dirs=/var/run/decaf/union-rw=rw:/home/decaf=ro - -

For further locking up the system, /tmp should probably not be writable by users (use libpam-tmpdir as an alternative), various spool files (cron, mail etc.) have to be checked, and the use of cron at disabled for the decaf user.